|
|
Log in / Subscribe / Register

Mageia alert MGASA-2020-0049 (libsass)



From:
              Mageia Updates <buildsystem-daemon@mageia.org> 


To:
              updates-announce@ml.mageia.org 


Subject:
              [updates-announce] MGASA-2020-0049: Updated libsass packages fix security vulnerabilities 


Date:
              Tue, 28 Jan 2020 08:53:44 +0100


Message-ID:
              <20200128075344.58F679F6EB@duvel.mageia.org>


MGASA-2020-0049 - Updated libsass packages fix security vulnerabilities

Publication date: 28 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0049.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2018-11499,
     CVE-2018-19797,
     CVE-2018-19827,
     CVE-2018-19837,
     CVE-2018-19838,
     CVE-2018-19839,
     CVE-2018-20190,
     CVE-2018-20821,
     CVE-2018-20822,
     CVE-2019-6283,
     CVE-2019-6284,
     CVE-2019-6286

Description:
Use-after-free vulnerability in sass_context.cpp:handle_error
(CVE-2018-11499).

Null pointer dereference in Sass::Selector_List::populate_extends
(CVE-2018-19797).

Use-after-free vulnerability exists in the SharedPtr class
(CVE-2018-19827).

Stack overflow in Eval::operator() (CVE-2018-19837).

Stack-overflow at IMPLEMENT_AST_OPERATORS expansion (CVE-2018-19838).

Buffer-overflow (OOB read) against some invalid input (CVE-2018-19839).

Null pointer dereference in Sass::Eval::operator()
(Sass::Supports_Operator*)
(CVE-2018-20190).

Uncontrolled recursion in Sass:Parser:parse_css_variable_value
(CVE-2018-20821).

Stack-overflow at Sass::Inspect::operator() (CVE-2018-20822).

Heap-buffer-overflow in Sass::Prelexer::parenthese_scope(char const*)
(CVE-2019-6283).

Heap-based buffer over-read exists in Sass:Prelexer:alternatives
(CVE-2019-6284).

Heap-based buffer over-read exists in Sass:Prelexer:skip_over_scopes
(CVE-2019-6286).

References:
- https://bugs.mageia.org/show_bug.cgi?id=25755
- https://lists.opensuse.org/opensuse-updates/2019-07/msg00...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6283
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286

SRPMS:
- 7/core/libsass-3.6.1-1.mga7
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds